[jnk345u8dfg9hjk]

> A full-time attacker just need to spend their day scouting for approved firmwares and re-use them

What do you mean by that? The secure boot chain (all the way from the boot ROM) must not be broken for "hardware-backed" Play Integrity to pass. How could you reuse firmware with that in mind?

[phh]

Play Integrity API passes enough for most apps, including Google Pay (the only known exception is Mc Donalds) by simply reusing the "fingerprint" of another device (the "fingerprint" is basically just a version number, except it's globally unique not just model-unique). In those cases, if the system says "sorry I don't know how to do the secure boot chain verification" rather than "the secure boot chain says it is an un-certified firmware", Play Integrity API will say all is good.